----- Original Message -----
From: "Roger Moser" <Roger(_dot_)Moser(_at_)pamho(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, May 19, 2004 5:24 PM
Subject: [spf-discuss] let's get rid of SRS
Meng Weng Wong wrote:
Say, how would folks feel if we got rid of SRS and replaced it with a
less onerous workaround?
We don't have to get rid of SRS completely. We just have to do it already
at
the sender (the domain that publishs the SPF record):
The sender signs a hash of the envelope sender (plus time stamp) by using
a
private RSA key and in the SPF record publishs the pulic key needed to
check
the signature. For example: "v=spf1 a mx ses:...public_key... -all"
meaning
"all mail from us has a signed envelope sender and here is the method to
check it".
Using RSA keys gets into various national and international encryption
regulations. It's a nasty, nasty software booby trap, one that has been
previously slammed into headlong by the open source community and the
security community.
Very seriously, beware of forcing servers to RSA authenticate themselves.